Developer blog

Getting started with OAuth2 in Go

Introduction

Authentication is usually a crucial part in any web app. You could always roll your own authentication mechanics if you wanted, however, this creates an additional barrier between the user and your web app: Registration.

That’s why OAuth, and earlier OAuth2, was created. It makes it much more convenient to log in to your app, because the user can log in with one of the many accounts he already has.

What we’ll cover in this tutorial

We will set up a web app with OAuth2 provided by Google. For this we’ll need to:
1. Create a web app in Google and get our ClientID and a ClientSecret.
2. Put those into accessible and fairly safe places in our system.
3. Plan the structure of our web app.
4. Make sure we have the needed dependencies.
5. Understand how OAuth2 works.
6. Write the application logic.

Let’s begin.

Creating a project in Google and getting the client ID and secret

First, go to the Google Cloud Platform and create a new project. Later open the left menu, and open the API Manager. There, search for the Google+ API and enable it.

Next, open the credentials submenu, and choose Create credentials -> OAuth client ID. The application type should be Web application and give it a custom name if you want. In “Authorized JavaScript origins” put in the address of the site you’ll be login in from. I will use http://localhost:3000. Then, in the field Authorized redirect URLs put in the address of the site, to which the user will be redirected after logging in. I’ll use http://localhost:3000/GoogleCallback.

Now the client ID and client secret should be displayed for you. Write them down somewhere safe. Remember that the client secret has to stay secret for the entire lifetime of your app.

Safely storing the client ID and secret

There are many ways to safely store the client ID and secret. In production you should make sure that the client secret remains secret.

In this tutorial we won’t cover this. Instead, we will store those variables as system environment variables. Now:
* Create an environment variable called googlekey holding your client ID.
* Create an environment variable called googlesecret holding your client secret.

Planning the structure

In this tutorial we’ll write code in one file. In production you would want to split this into multiple files.

Dependencies

You will need to

go get golang.org/x/oauth2

if you don’t have it already.

Understanding OAuth2

To really integrate OAuth2 into our web application it’s good to understand how it works.
That’s the flow of OAuth2:
1. The user opens the website and clicks the login button.
2. The user gets redirected to the google login handler page. This page generates a random state string by which it will identify the user, and constructs a google login link using it. The user then gets redirected to that page.
3. The user logs in and gets back a code and the random string we gave him. He gets redirected back to our page, using a POST request to give us the code and state string.
4. We verify if it’s the same state string. If it is then we use the code to ask google for a short-lived access token. We can save the code for future use to get another token later.
5. We use the token to initiate actions regarding the user account.

Writing the application logic

Before starting remember to import the golang.org/x/oauth2 package.
To begin with, let’s write the home page handler:

First we check the state variable, and notify the user if it doesn’t match. If it matches we get the code and communicate with google using the Exchange function. We have no context so we use NoContext.

Later, if we successfully get the token we make a request to google passing the token with it and get the users userinfo. We print the response to our user.

Conclusion

That’s all we have to do to integrate OAuth2 into our Golang application. I hope that I helped someone with this problems as I really couldn’t find beginner-suited, detailed resources about OAuth2 in Go.

This is not authentication; you need to use OpenID Connect (also supported by Google) for authentication. With OAuth you only got the authorization to read some details of the user, so you only proved he is authenticated against Google, but you’ve not authenticated the user in your app by delegating to Google.
See http://oauth.net/articles/authentication/

OAuth2 isn’t authentication in the sense that it doesn’t authenticate your application into google as the user. You are authorized to do some things you want to do.

However, with this, you are authorized to get the userID from the OAuth provider, and you know that the user successfully authenticated with the OAuth provider. So you just proved the identity of your user to be the owner of the OAuth provider account. And because of that you can authenticate him into your app.

You just have to remember to add some userID translation between your app and the OAuth provider, or you can end up with duplicates from various providers.

I’m not really sure if I understand well, so please clarify this to me. Doesn’t the part about common pitfalls, actually say that if you properly use the state variable and the client uses proper encryption (tls/ssl) throughout the process, then it actually is a method of authentication? Because this way we know that the user actually is the owner of the google account.

Am I missing something regarding the googleOauthConfig regarding the Endpoint? Your code shows it referencing something called google.Endpoint but I don’t see that referenced anywhere else and I am unable to build the example because of this.